ipsec vlan s2s loopback port not responding

hbuenafe81 · ‎05-30-2024

Gentleman,

I need support, show below that port 2601 on server that is map on loopback 10.2.202.10 is getting reset, but going direct to server port is open.

Need some help why going to loopback is resetting.

TBogs

ozkanaltas · ‎05-30-2024

Hello @hbuenafe81 ,

Can you run these diagnose commands and share the output with us? While running these commands you need to try to access 10.2.202.10:2601

diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diagnose debug flow filter dport 2601
diagnose debug flow trace start 100
diagnose debug enable

Also are you sure about, your TCP/2601 service status listening on the server? Can you try this with that command?

execute telnet 10.3.131.120 2601

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

View solution in original post

ozkanaltas · ‎05-30-2024

Hello @hbuenafe81 ,

Can you run these diagnose commands and share the output with us? While running these commands you need to try to access 10.2.202.10:2601

diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diagnose debug flow filter dport 2601
diagnose debug flow trace start 100
diagnose debug enable

Also are you sure about, your TCP/2601 service status listening on the server? Can you try this with that command?

execute telnet 10.3.131.120 2601

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

hbuenafe81 · ‎06-03-2024

Gents,

need help port suddenly stop working. Below debug for your informations.

regards,

TBogs

ozkanaltas · ‎06-03-2024

Hello @hbuenafe81 ,

Do you have a VIP configuration related to 10.3.131.120:2601?

If you say yes, can you enter this command in that VIP configuration?

config firewall vip
edit "YOUR_VIP_NAME"
set arp-reply disable
end

If you don't use this VIP you can also delete it.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

hbuenafe81 · ‎06-03-2024

Hi ozkanaltas,

I have multiple entry for on VIP for this 10.3.131.120. although it was working earlier and suddenly stop.. any idea you got base on log provided?

TBogs

ozkanaltas · ‎06-03-2024

Hi @hbuenafe81 ,

I suspect on this line.

msg="VIP-10.3.131.120:2601,outdev-unknown

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

hbuenafe81 · ‎06-03-2024

thanks bro.. I am also suspecting that but i don't know what to do to be honest. Need some expert here.

TBogs

ozkanaltas · ‎06-03-2024

Hi @hbuenafe81 ,

You can try this command.

config firewall vip
edit "YOUR_VIP_NAME"
set arp-reply disable
end

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

hbuenafe81 · ‎06-03-2024

I tried it already. all related to port 2601 arp has been disable.

edit "afaqy-stc-2601"
set extip 10.2.202.10
set mappedip "10.3.131.120"
set extintf "any"
set arp-reply disable
set portforward enable
set extport 2601
set mappedport 2601

TBogs

ozkanaltas · ‎06-03-2024

Hi @hbuenafe81 ,

Isn't the 10.2.202.10 IP address defined on the router instead of FortiGate? If so, why do you need to nat on FortiGate?

If not, can you try writing a rule that will directly reach the "afaqy-stc-2601" vip object from the 172.40.0.0/16 network?

Source Intf : IPSEC Interface
Destination Intf : dmz Interface
Soruce Addr: afaqy-stc
Destination Addr : afaqy-stc-2601

Can you explain the flow of traffic a little more to make it clearer?

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW